freeipa（1）服务器搭建

1）安装ipa-server

yum -y install ipa-server

2）确保/etc/hosts能解析自己的hostname

[root@ihost ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.104 ihost.mytest.org
[root@ihost ~]# hostname
ihost.mytest.org

2）安装DNS server

如果下面的第3步需要setup-dns，那么需要首先安装DNS server软件。

DNS server需要四个软件包

[root@www ~]# rpm -qa | grep '^bind'
bind-libs-9.7.0-5.P2.el6_0.1.x86_64
<==給 bind 與相關指令使用的函式庫
bind-utils-9.7.0-5.P2.el6_0.1.x86_64
<==這個是用戶端搜尋主機名稱的相關指令
bind-9.7.0-5.P2.el6_0.1.x86_64
<==就是 bind 主程式所需軟體
bind-chroot-9.7.0-5.P2.el6_0.1.x86_64 <==將 bind 主程式關在家裡面！

而安装完ipa-server后，已经安装好bind-libs和bind-utils，需要再安装bind和bind-chroot，另外还需要一个名为bind-dyndb-ldap的插件。

因此干脆安装所有bind相关的软件。

#yum -y install bind*

在配置ipa-server之前，首先配置DNS如下

（1）增加自定义域到/etc/named.conf中

3）配置ipa-server

#ipa-server-install

如果局域网内没有可用的DNS，则最好让ipasever自动安装dns服务，使用选项--setup-dns

以下要求手工输入——

Existing BIND configuration detected, overwrite? [no]: no（不覆盖dns默认配置）

Server host name [ihost.mytest.org]:（默认）

Please confirm the domain name [mytest.org]:（域名根据主机名自动解析）

Please provide a realm name [MYTEST.ORG]: （Kerberos realm name由DNS域名自动生成）

Directory Manager password:（Directory Manager密码）

IPA admin password:（管理员密码）

Do you want to configure DNS forwarders? [yes]:no（不转发）

Do you want to configure the reverse zone? [yes]: no（不做反向解析）

The IPA Master Server will be configured with:
Hostname:      ihost.mytest.org
IP address:    192.168.1.104
Domain name:   mytest.org
Realm name:    MYTEST.ORG

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  No reverse zone

Continue to configure the system with these values? [no]: yes（配置确认）

自动配置启动各项服务，输出如下——

Configuring NTP daemon (ntpd)
Configuring directory server for the CA (pkids): Estimated time 30 seconds
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
Configuring directory server (dirsrv): Estimated time 1 minute
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
Configuring kadmin
Configuring ipa_memcached
Configuring the web interface (httpd): Estimated time 1 minute

Applying LDAP updates
Restarting the directory server
Restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.KdkDdh.db
Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
        UDP Ports:
          * 88, 464: kerberos
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

可以通过netstat -tanp来观察以上端口是否已正确工作，如果没有，则要到/var/log/messages中查看错误信息，一个常见

错误是named(dns server)无法启动，message中报错为“Failed to parse the principal name DNS”

这个问题的原因可能是chroot导致的某些文件无法正确读取，参考链接

https://www.redhat.com/archives/freeipa-users/2013-February/msg00447.html

解决办法是卸载bind-chroot软件包，然后手工重新启动named即可。

4）获取admin用户的ticket
[root@ihost ~]# kinit admin
Password for admin@MYTEST.ORG:
[root@ihost ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@MYTEST.ORG

Valid starting     Expires            Service principal
10/06/14 16:39:08  10/07/14 16:39:02  krbtgt/MYTEST.ORG@MYTEST.ORG

可以看到cache中已有admin用户的ticket，默认有效期为1天。

5）备份CA证书

如果使用主备模式的ipa服务器，则需要备份/root/cacert.p12这个证书。

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

6）关闭防火墙

service iptables stop

7）https登录测试

从另外一台设备上，就可以使用https://ip-address登录了

登录设备必须能够解析ipa server的域名。

如果提示如下错误

连接 ipa.cg.cn 时发生错误。 您收到了一个无效的证书。请联系该服务器的管理员或者电子邮件通信员并向他们提供以下信息： 您的证书具有与证书颁发机构颁发的另一个证书相同的序列号。请获取一个具有唯一序列号的新证书。 （错误码： sec_error_reused_issuer_and_serial）

则需要删除浏览器的CA缓存。

8）卸载

如果对安装过程中的设置不满意，可以使用ipa-server-install --uninstall来卸载配置，然后重新配置。

9）命令行

输入ipa help可以看到所有的命令提示

9.1）查看用户信息

[root@ihost home]# ipa user-show user1 --all
  dn: uid=user1,cn=users,cn=accounts,dc=test,dc=com
  用户登录名: user1
  名: user
  姓: 1
  Full name: user 1
  Display name: user 1
  Initials: u1
  Home directory: /home/user1
  GECOS字段: user 1
  登录shell: /bin/sh
  Kerberos principal: user1@TEST.COM
  邮件地址: user1@test.com
  UID: 141600001
  GID: 141600001
  Account disabled: False
  密码: True
  Member of groups: ipausers
  Kerberos keys available: True
  ipauniqueid: 8ff8b5ce-930b-11e4-90a3-525400297029
  krbextradata: AALJhKdUcm9vdC9hZG1pbkBURVNULkNPTQA=
  krblastpwdchange: 20150103055729Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20150103055729Z
  krbpwdpolicyreference: cn=global_policy,cn=TEST.COM,cn=kerberos,dc=test,dc=com
  mepmanagedentry: cn=user1,cn=groups,cn=accounts,dc=test,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux,
               ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry

9.2）查看ipa服务器配置参数

[root@ihost home]# ipa config-show --all
  dn: cn=ipaConfig,cn=etc,dc=test,dc=com
  Maximum username length: 32
  主目录: /home
  默认shell: /bin/sh
  默认用户组: ipausers
  Default e-mail domain: test.com
  搜索时间限制: 2
  Search size limit: 100
  用户搜索字段: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TEST.COM
  Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
  Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux,
                              krbticketpolicyaux, ipaobject, ipasshuser
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC
  cn: ipaConfig
  objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject

9.3）修改用户属性

$ ipa user-mod loginID --attributeName=newValue

[root@ihost home]# ipa user-mod user1 --setattr=krbPasswordExpiration=20161231011529Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=user1,cn=users,cn=accounts,dc=test,dc=com'.

同样的，通过密码组策略修改此属性，也是同样错误

[root@ihost home]# ipa pwpolicy-show --all
  dn: cn=global_policy,cn=TEST.COM,cn=kerberos,dc=test,dc=com
  组: global_policy
  Max lifetime (days): 0
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  最小长度: 6
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
  objectclass: top, nsContainer, krbPwdPolicy

[root@ihost home]# ipa pwpolicy-mod global_policy --setattr=krbPasswordExpiration=20161231011529Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'cn=global_policy,cn=test.com,cn=kerberos,dc=test,dc=com'.

9.4）修改用户密码
[root@ihost home]# ipa passwd user1
New Password:
再次输入 New Password进行校验:
-------------------------------------
Changed password for "user1@TEST.COM"
-------------------------------------

9.5）重启ipa server

#ipactl restart

最后

以上就是彪壮豆芽为你收集整理的freeipa（1）服务器搭建的全部内容，希望文章能够帮你解决freeipa（1）服务器搭建所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。